CS-413 [BUG] SoA shows "unavailable" to auditor account#2925
Open
github-actions[bot] wants to merge 7 commits into
Open
CS-413 [BUG] SoA shows "unavailable" to auditor account#2925github-actions[bot] wants to merge 7 commits into
github-actions[bot] wants to merge 7 commits into
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
chasprowebdev
changed the title
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 1 file
Confidence score: 2/5
- There is a concrete security/authorization risk:
ensure-setupinapps/api/src/soa/soa.controller.tscan create SOA records while only requiringaudit:read, which permits mutation under a read-level scope. - Given the high severity (7/10) and high confidence (9/10), this is likely user-impacting and raises regression risk if merged without tightening permissions for the endpoint.
- Pay close attention to
apps/api/src/soa/soa.controller.ts- align endpoint authorization with write/create behavior to avoid privilege escalation.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
Contributor
|
@cubic-dev-ai please review it |
Contributor
@chasprowebdev I have started the AI code review. It will take a few minutes to complete. |
Contributor
There was a problem hiding this comment.
2 issues found across 8 files
Confidence score: 2/5
- There is a high-risk tenant isolation issue in
apps/api/src/soa/soa.controller.ts: trustingorganizationIdfrom the request body instead of enforcing@OrganizationId()can allow cross-tenant access/update behavior. apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/components/SOAFrameworkTabs.tsxalso has a user-facing regression risk wheregetSOASetupcan leave tabs stuck in a perpetual loading spinner when setup is missing or fetch fails.- Given the high severity (8/10) and high confidence (9/10) on the API scoping issue, this is not quite safe to merge without fixes.
- Pay close attention to
apps/api/src/soa/soa.controller.ts,apps/app/src/app/(app)/[orgId]/documents/statement-of-applicability/components/SOAFrameworkTabs.tsx- enforce tenant scoping in the controller and ensure loading/error fallback exits spinner state.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to merge chas/soa-as-auditor into dev.
It was created by the [Auto Pull Request] action.
Summary by cubic
Add read-only
get-setupAPI (audit:read), pass trusted org ID to the service, and show an empty state when setup is missing so auditors can view SOA without creating records (CS-413).Written for commit eace526. Summary will update on new commits. Review in cubic